#!/usr/bin/env bash


# ----------------------------------------------------------------------
# Filename	:  loginFail
# Version	:  1.0
# Date		:  2022/01/28
# Author	:  Lz
# Email		:  liuzuo@kylinos.com.cn 
# History	:     
#            	   Version 1.0, 2022/02/28
# Function	:  登录失败锁定
# Out		:        
#              0 => TPASS
#              1 => TFAIL
#              other=> TCONF
# ----------------------------------------------------------------------


# 测试主题
Title_Env_LTFLIB="安全加固(配置类) - 登录失败锁定"


## TODO : 个性化,初始化
#   Out : 0=>TPASS
#         1=>TFAIL
#         2=>TCONF
TestInit_LTFLIB(){
	# 判断是否存在变量
	if [ "Z${Deny_Config_SSRFlag}" == "Z" ];then
		OutputRet_LTFLIB "${ERROR}"	
		TestRetParse_LTFLIB "未定义变量 Deny_Config_SSRFlag"
	fi
	if [ "Z${UnlockTime_Config_SSRFlag}" == "Z" ];then
		OutputRet_LTFLIB "${ERROR}"	
		TestRetParse_LTFLIB "未定义变量 UnlockTime_Config_SSRFlag"
	fi
	if [ "Z${RootEvenDeny_Config_SSRFlag}" == "Z" ];then
		OutputRet_LTFLIB "${ERROR}"	
		TestRetParse_LTFLIB "未定义变量 RootEvenDeny_Config_SSRFlag"
        elif [ "Z${RootEvenDeny_Config_SSRFlag}" != "ZTrue" -a "Z${RootEvenDeny_Config_SSRFlag}" != "ZFalse" ];then
                OutputRet_LTFLIB "${ERROR}"
                TestRetParse_LTFLIB "RootEvenDeny_Config_SSRFlag 无效的参数: ${RootEvenDeny_Config_SSRFlag}"
	fi
	if [ "Z${RootUnlockTime_Config_SSRFlag}" == "Z" ];then
		OutputRet_LTFLIB "${ERROR}"	
		TestRetParse_LTFLIB "未定义变量 Deny_Config_SSRFlag"
	fi

	# 判断变量是否为数字
	if [ "${Deny_Config_SSRFlag}" -ge 0 ];then
		true
	else
		OutputRet_LTFLIB "${ERROR}"	
		TestRetParse_LTFLIB "Deny_Config_SSRFlag 非法值: ${Deny_Config_SSRFlag}"
	fi
	if [ "${UnlockTime_Config_SSRFlag}" -ge 0 ];then
		true
	else
		OutputRet_LTFLIB "${ERROR}"	
		TestRetParse_LTFLIB "UnlockTime_Config_SSRFlag 非法值: ${UnlockTime_Config_SSRFlag}"
	fi
	if [ "${RootUnlockTime_Config_SSRFlag}" -ge 0 ];then
		true
	else
		OutputRet_LTFLIB "${ERROR}"	
		TestRetParse_LTFLIB "RootUnlockTime_Config_SSRFlag 非法值: ${RootUnlockTime_Config_SSRFlag}"
	fi

        return $TPASS
}


## TODO : 清理函数
#   Out : 0=>TPASS
#         1=>TFAIL
#         2=>TCONF
TestClean_LTFLIB(){
        return $TPASS
}


## TODO : 测试用例集
#   Out : 0=>TPASS
#         1=>TFAIL
#         2=>TCONF
Testsuite_LTFLIB(){
        testcase_1
        testcase_2

        return $TPASS
}


## TODO : 密码错误次数,锁定后自动解锁时间,root用户锁定后的解锁时间
#
testcase_1(){
	local flag_str="pam_faillock.so"

	# 错误选项
        local false_str="${flag_str}"
	# 正确选项
        local trues_str="deny=${Deny_Config_SSRFlag} unlock_time=${UnlockTime_Config_SSRFlag} root_unlock_time=${RootUnlockTime_Config_SSRFlag}"
        local true_str=""
	
	# 查看文件中配置
	local files_conf="/etc/pam.d/password-auth /etc/pam.d/system-auth"
	local file_conf=""

	local cmd=""
	for file_conf in ${files_conf[@]}
	do
		cmd="cat ${file_conf}" 
		eval ${cmd} | grep "$flag_str"

		# 密码错误次数
		for true_str in ${trues_str[@]} 
		do
			# 注意字符串有空格！！！,避免unlock_time和root_unlock_time
			eval ${cmd} | grep -q " ${true_str}"
			CommRetParse_LTFLIB "${cmd}查询,要求${true_str}" "False"
		
			eval ${cmd} | grep -v " ${true_str}" | grep -q "${false_str}"
			CommRetParse_LTFLIB "${cmd}查询,不存在'${true_str}'以外的值" "False" "yes"
		done
	done
}


## TODO : root用户登录失败锁定
#
testcase_2(){
	local flag_str="pam_faillock.so"
	# 正确选项
        local true_str="even_deny_root"

	# 查看文件中配置
	local files_conf="/etc/pam.d/password-auth /etc/pam.d/system-auth"
	local file_conf=""

	local cmd=""
	for file_conf in ${files_conf[@]}
	do
		cmd="cat ${file_conf}"
		if [ "Z${RootEvenDeny_Config_SSRFlag}" == "ZTrue" ];then
			# 需要锁定
			eval ${cmd} | grep -q "${true_str}"
			CommRetParse_LTFLIB "${cmd}查询,要求存在${true_str}" "False"
		else
			# 无需锁定
			eval ${cmd} | grep -q "${true_str}"
			CommRetParse_LTFLIB "${cmd}查询,不能存在${true_str}" "False" "yes"
		fi
	done
}
#----------------------------------------------#

source "${LIB_LTFLIB}"
Main_LTFLIB $@
